Add references to rules (notion_rules) (#1022)

Author: akozlovets098

rules/notion_rules/notion_account_changed_after_login.yml

@@ -14,6 +14,7 @@ Description: A Notion User logged in then changed their account details.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this email change is genuine.
+Reference: https://www.notion.so/help/account-settings
 Tests:
     - # This unit test is to make sure the logic for handling login events successfully results in
       #   caching the login info. The outputted title/alert_context are not important.

rules/notion_rules/notion_login_from_blocked_ip.yml

@@ -14,3 +14,4 @@ Description: "A user attempted to access Notion from a blocked IP address. Note:
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Confirm with user if the login was legitimate. If so, determine why the IP is blocked.
+Reference: https://www.notion.so/help/allowlist-ip

rules/notion_rules/notion_login_from_new_location.yml

@@ -14,6 +14,7 @@ Description: A Notion User logged in from a new location.
 DedupPeriodMinutes: 60
 Threshold: 1 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible account takeover. Follow up with the Notion User to determine if this login is genuine.
+Reference: https://ipinfo.io/products/ip-geolocation-api
 Tests:
     - Name: Login from normal location
       ExpectedResult: false

rules/notion_rules/notion_many_pages_deleted.yml

@@ -14,6 +14,7 @@ Description: A Notion User deleted multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages deleted; please change this value to suit your organization's needs.
 Runbook: Possible Data Destruction. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/duplicate-delete-and-restore-content
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_many_pages_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported multiple pages.
 DedupPeriodMinutes: 60
 Threshold: 10 # Number of pages exported; please change this value to suit your organization's needs.
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/export-your-content
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_page_accessible_to_api.yml

@@ -14,3 +14,4 @@ Description: "A new API integration was added to a Notion page, or it's permissi
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions

rules/notion_rules/notion_page_accessible_to_guests.yml

@@ -14,6 +14,7 @@ Description: The external guest permissions for a Notion page have been altered.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/sharing-and-permissions
 Tests:
   - Name: Guest Role Added
     ExpectedResult: true

rules/notion_rules/notion_page_shared_to_web.yml

@@ -14,3 +14,4 @@ Description: A Notion User published a page to the web.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Potential information exposure - review the shared page and rectify if needed.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing

rules/notion_rules/notion_page_view_impossible_travel.yml

@@ -15,6 +15,7 @@ Description: A Notion User viewed a page from 2 locations simultaneously
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible account compromise. Review activity of this user.
+Reference: https://raxis.com/blog/simultaneous-sessions/
 Tests:
   - Name: Normal Page View
     ExpectedResult: False

rules/notion_rules/notion_scim_token_generated.yml

@@ -14,6 +14,7 @@ Severity: Medium
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Initial Access. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/provision-users-and-groups-with-scim
 Tests:
     - ExpectedResult: false
       Log:

rules/notion_rules/notion_workspace_audit_log_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported audit logs for your organization’s workspa
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/audit-log#export-your-audit-log
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_workspace_exported.yml

@@ -14,6 +14,7 @@ Description: A Notion User exported an existing workspace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: Possible Data Exfiltration. Follow up with the Notion User to determine if this was done for a valid business reason.
+Reference: https://www.notion.so/help/workspace-settings#export-an-entire-workspace
 Tests:
     - Name: Workspace Exported
       ExpectedResult: true

rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml

@@ -14,6 +14,7 @@ Description: A Notion User changed settings to enforce SAML SSO configurations f
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook:  Follow up with the Notion User to determine if this was done for a valid business reason and to ensure these settings get re-enabled quickly for best security practices.
+Reference: https://www.notion.so/help/saml-sso-configuration
 Tests:
     - Name: Other Event
       ExpectedResult: false

rules/notion_rules/notion_workspace_settings_public_homepage_added.yml

@@ -14,6 +14,7 @@ Description: A Notion page was set to public in your worksace.
 DedupPeriodMinutes: 60
 Threshold: 1
 Runbook: A Notion page was made public. Check with the author to determine why this page was made public.
+Reference: https://www.notion.so/help/public-pages-and-web-publishing
 Tests:
   - Name: Public page added
     ExpectedResult: true